hcq/MaxScale
hcq/MaxScale
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

MXS-1220: Allow admin interface to be disabled

Browse Source 
Allowing the admin interface to be disabled completely makes it possible
to remove any security concerns that could arise from its use.
This commit is contained in:
Markus Mäkelä 2017-05-11 12:04:36 +03:00 committed by Markus Mäkelä
parent 39da11763b
commit ca7b24f6fa
4 changed files with 26 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
Documentation/Getting-Started/Configuration-Guide.md
View File

@ -542,7 +542,7 @@ The port where the HTTP admin interface listens on. The default value is port
Enable HTTP admin interface authentication using HTTP Basic Access
authentication. This is not a secure method of authentication but it does add a
small layer of security. This option id disabled by default.
small layer of security. This option is disabled by default.
#### `admin_user`
@ -573,6 +573,11 @@ documentation for more details.
The path to the TLS CA certificate in PEM format. See `admin_ssl_key`
documentation for more details.
#### `admin_enabled`
Enable or disable the admin interface. This allows the admin interface to
be completely disabled to prevent access to it.
### Service
A service represents the database service that MariaDB MaxScale offers to the

2
include/maxscale/config.h
View File

@ -69,6 +69,7 @@ MXS_BEGIN_DECLS
*/
extern const char CN_ADDRESS[];
extern const char CN_ADMIN_AUTH[];
extern const char CN_ADMIN_ENABLED[];
extern const char CN_ADMIN_HOST[];
extern const char CN_ADMIN_PASSWORD[];
extern const char CN_ADMIN_PORT[];
@ -196,6 +197,7 @@ typedef struct
char admin_host[MAX_ADMIN_HOST_LEN]; /**< Admin interface host */
uint16_t admin_port; /**< Admin interface port */
bool admin_auth; /**< Admin interface authentication */
bool admin_enabled; /**< Admin interface is enabled */
char admin_ssl_key[PATH_MAX]; /**< Admin SSL key */
char admin_ssl_cert[PATH_MAX]; /**< Admin SSL cert */
char admin_ssl_ca_cert[PATH_MAX]; /**< Admin SSL CA cert */

6
server/core/config.cc
View File

@ -54,6 +54,7 @@ using std::string;
const char CN_ADDRESS[] = "address";
const char CN_ADMIN_AUTH[] = "admin_auth";
const char CN_ADMIN_ENABLED[] = "admin_enabled";
const char CN_ADMIN_HOST[] = "admin_host";
const char CN_ADMIN_PASSWORD[] = "admin_password";
const char CN_ADMIN_PORT[] = "admin_port";
@ -1552,6 +1553,10 @@ handle_global_item(const char *name, const char *value)
{
gateway.admin_auth = config_truth_value(value);
}
else if (strcmp(name, CN_ADMIN_ENABLED) == 0)
{
gateway.admin_enabled = config_truth_value(value);
}
else
{
for (i = 0; lognames[i].name; i++)
@ -1774,6 +1779,7 @@ global_defaults()
gateway.skip_permission_checks = false;
gateway.admin_port = DEFAULT_ADMIN_HTTP_PORT;
gateway.admin_auth = false;
gateway.admin_enabled = true;
strcpy(gateway.admin_host, DEFAULT_ADMIN_HOST);
strcpy(gateway.admin_user, INET_DEFAULT_USERNAME);
strcpy(gateway.admin_password, INET_DEFAULT_PASSWORD);

21
server/core/gateway.cc
View File

@ -1982,16 +1982,19 @@ int main(int argc, char **argv)
}
}
if (mxs_admin_init())
if (cnf->admin_enabled)
{
MXS_NOTICE("Started REST API on [%s]:%u", cnf->admin_host, cnf->admin_port);
}
else
{
const char* logerr = "Failed to initialize admin interface";
print_log_n_stderr(true, true, logerr, logerr, 0);
rc = MAXSCALE_INTERNALERROR;
goto return_main;
if (mxs_admin_init())
{
MXS_NOTICE("Started REST API on [%s]:%u", cnf->admin_host, cnf->admin_port);
}
else
{
const char* logerr = "Failed to initialize admin interface";
print_log_n_stderr(true, true, logerr, logerr, 0);
rc = MAXSCALE_INTERNALERROR;
goto return_main;
}
}
MXS_NOTICE("MaxScale started with %d server threads.", config_threadcount());